Agents have tools. Tools have side effects. Side effects interact with real systems: databases, file systems, APIs, networks. A chatbot that hallucinates is embarrassing. An agent that hallucinates a tool call can delete files, leak data, or make unauthorized requests to external services.

This is not hypothetical. Prompt injection attacks can trick an agent into executing commands the developer never intended. A malicious document in a RAG pipeline can instruct the agent to exfiltrate data through a tool call. An agent with overly broad permissions can escalate its own privileges by calling administrative APIs. The attack surface of an agent is the union of every tool it can access, every input it processes, and every network endpoint it can reach.

The core challenge is that you are giving an LLM, a system that is fundamentally unpredictable, the ability to take actions in the real world. You cannot make the LLM perfectly safe. What you can do is build layers of protection around it so that even when the LLM does something unexpected, the blast radius is contained.

That is what this lesson is about: treating agent security as an engineering problem with concrete, implementable solutions.